Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Ulf Harnhammar (ulfhupdate.uu.se)
Date: Sun Mar 03 2002 - 14:26:05 CST
AeroMail multiple vulnerabilities
VENDOR: Mark Cushman (markcushman.net)
VULNERABLE VERSIONS: all versions below 1.45
SEVERITY: medium to high
"AeroMail is a Web-based email client written in PHP. It uses an IMAP server
to read and store messages in one or more user-defined folders, and its
features include HTTP authentication for login (no cookies), folder
manipulation, support for sending and viewing attachments, inline image
display, multilanguage support, and URL highlighting."
(direct quote from the program's project page on Freshmeat)
AeroMail is released under the terms of the GNU General Public License.
It seems to have quite a few users.
1) When sending e-mails, you can trick the attachment subsystem into sending
local files from the web server or remote files from URL's instead of uploaded
files as it should.
How is that possible? Well, after PHP has uploaded a file, it sets a few
variables with information about it. One of them is the filename under which
the uploaded file has been temporarily stored. It is important to check that
this variable was set by uploading a file. It might also be normal POSTed
data, in which case you end up with this problem.
2) You can add additional headers to outgoing e-mail messages by sending some
normal data for the To or Cc or Subject fields, a CRLF and then another header
with some data. (A lot of other programs allow this too. It's not just
AeroMail.) This can be used for adding uuencoded attachments up in the headers
with lines ending in CR instead of CRLF, as previously discussed here on
This allows DOS attacks by redirecting, theft of cookies etc.
Issues 1 and 2 require a valid user/password combination to be exploited,
while issue 3 is open to anyone.
The vendor was contacted with an explanation, two exploits and a patch on the
23rd of February. Version 1.45, which is not vulnerable to any of these
issues, was released on the 27th of February.
I recommend that all users upgrade to version 1.45 immediately.
Here are HTML exploits for issues 1 and 2. They are distributed as a
uuencoded, gzipped tar archive.
Issue 3 doesn't need a special exploit - you just send an ordinary mail:
mail -s '<script>self.location.href="http://www.kuro5hin.org/"</script>' \
metaurprontomail.com < /dev/null
// Ulf Harnhammar
begin 644 aeromail_exploits.tar.gz